Centerstone Insurance and Financial Services, also known as BenefitMall, started informing around 111,000 individuals about the possible compromise and theft of some protected health information (PHI) because of an email security incident lately.
BenefitMall located in Dallas, TX is a business that offer HR, employee benefits, salaries and employer services. It has around 20,000 consultants, brokers, and certified public accountants all over the country and functions as a business associate to a number of HIPAA-covered organizations.
The organization identified the access of its employee email account by an unauthorized person on October 11, 2018. A third-party computer forensics firm joined in the investigation to determine the nature and scope of the breach.
The investigators learned that the email accounts were first accessed in June 2018. The hackers accessed more email accounts right until October 11, the day the attack was discovered. The compromised email accounts were immediately kept secure to avert the unauthorized individual from continuing to access the employees’ accounts. It was through phishing scams that the employees inadvertently gave their account credentials.
An evaluation of the affected email accounts revealed that plenty of email messages comprised the personal information of persons connected with the services offered. The compromised and perhaps stolen data only included names, birth dates, addresses, social security numbers, insurance details and bank account numbers.
The security breach prompted BenefitMall to evaluate its email security configurations and increase defense against phishing attacks. The firm currently used two-factor authentication on its email system. Employees underwent additional training on private data security and how to avoid phishing scams. Training on both issues will be made available on a regular basis.
BenefitMall already submitted a security breach report to the appropriate law enforcement agency. BenefitMall will work with the investigators and the insurance firm to determine the people impacted by the breach. The Department of Health and Human Services’ Office for Civil Rights (OCR) was also notified. According to the breach report, 111,589 people were impacted by the incident.